Archives for November 2014

Happy Holiday

The health team at Wolters Kluwer is out of the office for the Thanksgiving holiday. We will resume our regular posting schedule on Monday, December 1st. In the interim we invite you to check out the Food and Drug Administration’s page on food safety for a healthy holiday.

Highlight on California: Courts Side with Providers in Golden State Data Breaches, For Now

Two recent cases decided by two California appellate courts shed some light on what one source describes as “judicial reluctance” to award damages to individuals whose information was potentially leaked in a security breach. At least this was the result in these matters where the plaintiffs could not prove anything beyond minimal harm stemming from the breaches. Considering these decisions as well as the sharp increase of reports of breaches of security information in California and across the country, the question is raised, to what extent will these precedents be followed in other jurisdictions? Moreover, will the results change if the plaintiffs are able to prove more than minimal harm and what does that entail?

Data Breaches in California

In October, the California Attorney General’s Office released a report that, according to the California Attorney General, Kamala D. Harris, “sheds light on the threat that data breaches pose to California consumers and businesses, including an analysis of the information the Attorney General’s office collected on data breaches in California in 2013.” Describing the state as uniquely subject to developments in the security of sensitive information as it is both “the birthplace of the digital revolution” and the location of the world’s eighth largest economy, the report revealed that in 2013 the number of reported breaches grew by 28 percent over the number in 2012. The report disclosed that the number of Californians whose data was affected in 2013  increased by 600 percent, which was, as the report stated, “due largely to two massive retailer breaches, one of which, the Target breach, involved the payment card data of 41 million individuals, including 7.5 million Californians.”

With respect to health records, the report stated that in this industry, “breaches affected more records than in other industry sectors, with the exception of retail since the two mega breaches of 2013.” Because the majority of health care sector’s breaches (70 percent of breaches in this industry reported in the last two years) were due to stolen or lost hardware that contained unencrypted personal information, the report concluded that the “strategic use of encryption” with regard to information technology in this industry could make a large difference. Moreover, the report referenced other studies that have revealed the rise of criminal activity targeting personal health information, which is exacerbated by health care employees’ use of unsecured portable devices. The report summarized its findings and recommendations as follows: “The need to use encryption is a lesson that must be learned by the health care industry and we recommend that it be applied not only to laptops and portable media, but also to many computers in offices.”

Recent California Cases

Both recent cases were brought by individuals whose health records were subject to unauthorized data breaches in the state of California. Each suit was brought against the provider and keeper of those records pursuant to the California Confidentiality of Medical Information Act (CMIA). CMIA bars providers from unauthorized disclosures of patient information and provides for remedies at law and imposes nominal damages against providers that negligently release unauthorized information.

In Sutter Health v Superior Court (Atkins), after the California Supreme Court denied review of the case, a California appellate court’s ruling that the provider was not liable for the nominal $1,000 in damages to each of the members of the class action suit, which totaled $4.24 billion, stood. In this matter, the class of individuals brought charges against the provider after a thief broke into the provider’s office and stole a computer that contained the health records of over four million patients. Therefore, according to a report on the Sutter decision, “in California a health care provider is not liable for the nominal damages set forth in [the CMIA] when password-protected but unencrypted information is stored on a computer, and the device is stolen, absent evidence the data was actually viewed.”

Similarly, in a matter brought against Eisenhower Medical Center, a data breach was caused by the theft of a computer which contained a password-protected but not encrypted “index of over 500,000 patients’ names, medical record numbers, ages, dates of birth, and Social Security numbers.” In Eisenhower Medical Center v Superior Court (Riverside), a California appellate court found that the CMIA did not apply in situations that lacked a breach of information relevant to history of treatment, diagnosis, or care. “The mere fact that a person was a patient of the provider at some time, the court concluded, was insufficient to impose liability under CMIA,” according to commentary on the decision.

Questions Remain

While some sources note that these rulings indicate that, despite the adoption of CMIA, “it could be difficult for patients to successfully sue California health care facilities over data breaches,” it is unclear how these matters would proceed given a different fact pattern regarding the details of the breach. While the California courts seemed to have carved out some exceptions or caveats to the prohibition of disclosure of unauthorized information under CMIA, how far do these exemptions go and to what extent will this trend be mirrored in other jurisdictions where data breaches are also on the rise?

Kusserow on Compliance: DOJ Reports Over 700 Whistleblower Cases in 2014

The Civil Division of the Department of Justice (DOJ) reports obtaining a record $5.69 billion in settlements and judgments from civil cases involving fraud and false claims against the government in 2014. About 40 percent of this ($2.3 billion) involved federal health care programs (mostly Medicare and Medicaid). The balance of $3.1 billion was from banks and other financial institutions involved in making false claims for federally insured mortgages and loans. In a separate announcement, the DOJ reported that the total combined collection from both the civil and criminal DOJ enforcement actions was $24.7 billion and includes $13 billion collected directly and $11 billion in indirect payments made to other federal agencies, states, and other recipients.

Whistleblower Rewards

The DOJ made note that most false claims actions are filed under the act’s whistleblower, or qui tam, provisions that allow individuals to file lawsuits alleging false claims on behalf of the government. The number of these cases exceeded 700 this year. More than half of the recoveries are from the qui tam cases, with the highest percentage found in the health care cases. In the nearly $3 billion recoveries related to qui tam lawsuits, whistleblowers received $435 million in payouts. From January 2009 to the end of fiscal year 2014, the government paid awards in excess of $2.47 billion.

Health Care Fraud

From 2009 through 2014, the DOJ used the False Claims Act to recover $14.5 billion in federal health care dollars. In the current year, most of the recoveries ($2.3 billion) came from the pharmaceutical industry. Half of that came from the Johnson and Johnson related cases. Another notable case resulted in a recovery of $116 million from Omnicare that resolved allegations that Omnicare engaged in a kickback arrangement with skilled nursing facilities to induce the facilities to select Omnicare as their pharmacy provider, in violation of the Anti-Kickback Statute.

Hospital Cases

Cases involving hospitals resulted in $333 million in 2014 settlements and judgments, with significant recoveries from two hospital chains. Community Health Systems, Inc., the nation’s largest operator of acute care hospitals, paid $98.15 million in a settlement for inpatient services that should have been provided in a less costly outpatient or observation setting. Halifax Hospital Medical Center paid $85 million to resolve allegations that it violated the Stark Law, which prohibits hospitals from billing Medicare for certain services when referred by physicians who have a financial relationship with the hospital.

Home Health

Home health services occupied considerable attention of the DOJ, both in its criminal and civil divisions. On the civil side, Amedisys Inc., one of the nation’s largest providers of home health services, paid $150 million to resolve allegations that it billed Medicare for medically unnecessary services, for services to patients who were not homebound, and for violations of the Anti-Kickback Statute.

Cardiac Cases

Boston Scientific Corp., which purchased Guidant LLC and Guidant Sales LLC, and Cardiac Pacemakers Inc. in 2006, paid $30 million to settle claims that Guidant sold defective heart devices to health care facilities that implanted them into Medicare patients. King’s Daughters Medical Center paid $41 million for billing Medicare and Medicaid for coronary procedures that the government alleged were unnecessary. St. Joseph’s Health System paid over $16 million to settle allegations that it billed Medicare and Medicaid for numerous invasive cardiac procedures that were performed on patients who did not need them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.

Health Workers Demand Nationwide Protection Standards for Ebola Virus

The National Nurses United (NNU) stormed Washington on November 18, 2014, to demand unified protection standards from the U.S. Occupational Safety and Health Administration (OSHA) and other states regarding the Ebola virus. The NNU wants nationwide implementation of the recently established California protective mandates that resulted from nursing strikes calling for the protection of nurses, other health workers, and the public from the threat of the deadly virus.


The Centers for Disease Control and Prevention (CDC) issued suggested guidelines in October 2014 that were considered not stringent enough and too late after Thomas Eric Duncan arrived in September at a Texas hospital from West Africa with Ebola symptoms. Duncan was initially sent home with antibiotics and aspirin. After Duncan returned to the hospital, health workers found themselves unprepared to handle his symptoms. Duncan passed away from the disease. Days later, the CDC guidelines were issued. Because one of Duncan’s nurses exhibited a fever slightly lower than the guidelines’ established temperature benchmark, but was found to have contracted the disease, the CDC issued another set of revised guidelines in November.

In the same month, 18,000 Californian nurses working for Kaiser Permanente (Kaiser) held a two-day strike against underdeveloped health care standards for Ebola. The nurses reported that the hospital refused to address inadeguate Ebola safety protocols and protective equipment training and refused to answer questions by the registered nurses (RNs). The strike against Kaiser reportedly impacted 21 hospitals and 35 clinics and helped bring forth the issue of health workers’ rights in the face of public health emergencies (see Ebola: Legal implications for the press, health care workers, providers, patients, employers, and employees, November 19, 2014).

After other strikes by the NNU and the California Nurses Association RNs (CNA) ensued, California state officials released updated Ebola standards for all California hospitals requiring an optimal level of personal protective equipment (PPE), comprehensive training procedures, and other protocols reflecting the standards the NNU and CNA represented. The California regulations, unlike those of the CDC, are mandatory.

Mandatory Standards

California’s Ebola standards were structured according to the existing California Occupational Safety and Health Administration (Cal/OSHA) regulations outlining proper steps to safely provide care for suspected or confirmed Ebola patients. CNA will be responsible for monitoring hospital compliance; those hospitals that don’t comply will face civil penalties.

CNA Executive Director RoseAnn DeMoro noted that in response to Ebola, NNU has advocated the precautionary principle “that absent scientific consensus that a particular risk is not harmful, especially one that can have catastrophic consequences, the highest level of safeguards must be adopted, and a sharp contrast to the profit principle that has guided the response of most hospitals.”

Representative of some of the California Ebola regulations are:

  • The requirement of hospitals to provide to all hospital staff caring for a suspected or confirmed Ebola patient full-body protective suits that meet the American Society for Testing and Materials (ASTM) F1670 standard for blood penetration and the ASTM F1671 standard for viral penetration and that leave no skin exposed or unprotected. The protective suits must be available to employees who clean contaminated areas and to staff assisting other employees with the removal of contaminated protective gear;
  • The provision of air-purifying respirators (PAPRs) with a full cowl or hood for optimal protection for the head, face, and neck of any RN or other staff who provide care for a suspected or confirmed Ebola patient; and
  • Whistleblower protection for employees who report hospitals that violate the regulations.

While California’s regulations may become the national benchmark for Ebola preparedness, David Gevertz, Vice Chair of Baker Donelson’s Labor & Employment Group, in an interview with Wolters Kluwer, pointed out that the current OSHA standards “offer limited protections to employees who refuse to perform a job if they believe in good faith that they are exposed to an imminent danger. The level of exposure necessary to qualify as an ‘imminent danger’ has not yet been defined.”